Apple Patches Tiger and Leopard

Apple plugs 31 security flaws across its current OS X lineup.

SHARE

SHARE

Apple Mac users: It's time to patch your systems. Yes, again, after a whole lot of patches this year.

Security Update 2007-009 from Apple provides updates for both OS 10.4 Tiger as well as the new OS 10.5 Leopard. In total there are 31 fixes for issues ranging in severity from information disclosure to arbitrary code execution. As an added bonus, if you're running Apple's Safari browser for Windows XP or Vista, you also need to update.

Among the issues fixes are three that deal with Apple's use of CUPS (Common UNIX Printing System) CUPS>. For both Tiger and Leopard users, a memory corruption issue that could enable an attacker to crash a system or execute arbitrary code.

Another issue with CUPS for just Tiger involves the use of SNMP (define) (Simple Network Management Protocol). According to Apple's advisory on the issue, "The CUPS back-end SNMP program broadcasts SNMP requests to discover network print servers. A stack buffer overflow may result from an integer underflow in the handling of SNMP responses." As a result, a crash or arbitrary code could be executed.

A third issue with CUPS that affects Tiger is a buffer overflow condition that is within the printer driver itself. The impact of this flaw could be privilege escalation.

Apple has also fixed its iChat instant messaging application in Tiger. According to Apple's advisory, "a person on the local network may initiate a video connection without the user's approval." Apple has resolved the issue by simply adding in a user request in order to start a video conference.

There are also a lot of fixes for dynamic languages in Apple's update including new versions of Perl, Python and Ruby.

For Leopard, which was just updated a month ago to version number 10.5.1, there is a fix for the Software Update mechanism itself. Apple's advisory describes a situation whereby by when the Software Update checks Apple's repository for updates there is a possibility for a man-in-the-middle attack.